One month to go: Is Your Business Ready For The EU-Wide Standards On Whistleblower Protection?
During the past years, multiple corporate scandals made the headlines, such as Facebook, Dieselgate or Cambridge Analytica. All these revelations have one thing in common: we became aware of them through the voice of individuals who were brave enough to blow the whistle.
As a direct response to these events, the European Commission presented a new regulation for a better protection of whistleblowers in the European Union. The EU Whistleblowing Directive is due to be implemented into national law by 17 December 2021. Here is a summary of the future implications for your business and for whistleblowers.
Who does it apply to?
The following organizations with EU-based operations will need to decide how to change their whistleblowing arrangements to comply with a potential patchwork of new rules:
- Companies and public entities with over 50 employees or with revenues exceeding €10 millions
- All state, regional administrations and municipalities with over 10 000 inhabitants.
- Whistleblowers will be entitled to protection under the Whistleblowing Directive when reporting on breaches of EU law.
- The directive does not extend to whistleblowers of breaches of non-EU laws.
A better protection for Whistleblowers
This new regulation will ensure a much higher protection for whistleblowers, and will have a broader scope as it will apply to any person reporting information linked to their workplace, whether they are employees or not - interns, contract workers or volunteers are all concerned.
Informants will be protected from any kind of retaliation (dismissal, demotion, etc.), and if the whistleblower is a victim of consequences from reporting, they should have access to free advisory and appropriate judicial remedy.
The Commission also expanded the list of report types that will be protected by this regulation: the relevant sectors go from public markets, food safety to data, consumer and environmental protection.
The directive also mentions (Chapter III) that whistleblowers can choose to make their report through an external reporting channel and still remain covered by the EU whistleblowing directive. This task can be assigned to a trade union representative, an external counsel, an auditor or any third party able to ensure that the report will be dealt with in a confidential manner.
What are the key requirements?
Although Member States implement the Directive at national level through local legislation, each of them must set minimum standards for the protection of whistleblowers, and any organization with 50 to 249 workers must, at least :
- Have reporting channels put in place, internally and/or externally, allowing employees to submit oral and written reports
- A professionally trained person or department, responsible for handling reports
- Acknowledge reports within 7 days and provide feedback or follow-up within 3 months (for complex cases, this timeframe can be extended up to 6 months)
- Protect whistleblowers from any form of retaliation, including negative performance reviews, removal of workplace duties, blacklisting, psychiatric or medical referral
- It is the responsibility of each individual member state to designate official external reporting channels and to provide them with the resources they need to accept and feedback on reports.
Member states are free to strengthen any of these requirements, and it remains up to them to set up and manage the following areas :
- The range of breaches that can be reported, for example whether this goes beyond certain breaches of EU law
- Whether organizations and competent authorities are obliged to accept and follow up on anonymous reports (in any case, when facing a sensitive issue where wider commercial considerations also play a role it is generally not recommended to ignore anonymous reports altogether)
- The penalties for retaliation. For example, France can impose a financial penalty of up to €200,000 ($239,000) for individuals and up to €1 million ($1.19 million) for corporate entities.
Next practical steps for employers
The December 17, 2021 deadline does not leave much time for organizations to prepare. Here are the key parameters to consider while getting ready to comply with the new legislation :
- Assess if your company falls under the scope of the directive and, if so, get informed on the local jurisdiction relative to your business
- Conduct a gap analysis of your existing whistleblowing/reporting channels (taking into account specific regulatory obligations for your industry)
- Designate responsible individuals (Case Managers) to handle reports (and ensure they are trained)
- Establish internal and/or external reporting channels allowing your employees to speak up
New challenges arise
The implementation of the Whistleblowing Directive will pose a number of challenges for organizations operating across borders, as they will face newly introduced and already existing regulations when it comes to whistleblowing.
- Centralized vs. Decentralized Programs: one of the key questions is whether a single whistleblowing framework and policy should be applied to the entire organization/company or whether country or region-specific approaches should be adopted. In the case where your organization chooses to apply a single framework, it must comply with the aspects of the Member State's whistleblowing legislation that offer the highest level of protection to ensure full compliance with all applicable local laws.
- Remote workers: another potential challenge, particularly with the rise of remote working, is how to deal with reports from internationally mobile employees and to determine which national legislation applies to the whistleblower. This is important from both the employee's and the employer's perspectives, with each potentially taking a different approach.
Companies have to bear in mind that under the new EU Directive, employees must have access to a safe and reliable way to speak up, and be protected when they choose to do so. Adapting to the new legislation means finding new systems and frameworks to be compliant, and giving up on the “one size fits all” approach when it comes to their Whistleblowing programs.